|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2004-06-29 08:37 UTC] lps at cwru dot edu
Description:
------------
I've tested this buggy script on two substantially different setups:
Redhat Linux 5.2 running Apache-1.3.31/PHP 4.3.3
Gentoo Linux V1.4 running Yaws-1.40/PHP 4.3.7
The http-header is posted ok if either:
1. You change the "echo" to "$foo =" and move the header("Cache..") to after the if-statement.
2. The condition in the if statement does not refer to a preset variable.
Hope this helps,
Leon
Reproduce code:
---------------
<?php
header("Testing: 123");
if ($_SERVER["REQUEST_METHOD"] == "POST") {
header("Cache-Control: no-store");
echo $_POST["foo"];
}
?>
<html>
<head>
<title> Bug in PHP 4.3.3 and PHP 4.3.7 </title>
</head>
<body>
<form action="test.php" method="post">
<textarea name="foo">When you submit this, you will not get a 'Cache-Control: no-store' header.</textarea>
<input type="submit" />
</form>
</body>
</html>
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Apr 26 02:01:29 2024 UTC |
Ok, this really appears to be a feature, not a bug. Admittedly I'm new to PHP, but this appears to be an undocumented feature. Nothing is obvious from scanning the manual or looking through the php.ini file. The PHP interpreter seems to be keeping track of some kind of "dirty variable". Certainly, it appears to be intentionally preventing me from setting headers based off of content in $_SERVER["REQUEST_METHOD"]. Of course, this is a computationally undecidable problem, so in order for such a feature to work, there must be cases where the header will always be posted, yet this feature won't let it happen. I've found such a case, and pretty strong evidence for "dirty variables": <?php $is_post = ($_SERVER["REQUEST_METHOD"] == "POST"); if ($is_post) { $foo = ! 0; } else { $foo = ! 1; } $foo = "bar"; if ($foo == "bar") { header("Cache-Control: no-store"); } ?> Now, this header doesn't get set. However, it does if you change the last two occurances of "foo" to "baz" instead. Admittedly, echoing data from GET and POST into http-headers allows for some truly nasty attacks. But it's trivially easy to introduce Cross-Site Scripting vulnerabilities and other sorts of perhaps lesser evils.... Where is this feature documented, and how do you turn this feature off?Uh? What in the world are you talking about? There is no such dirty-variable feature in PHP. Your code example makes no sense. If you do: $foo = "bar"; if($foo == "bar") { action } Then obviously that action will be taken no matter what you do before or after. Pasting your exact code example on my server here and checking the headers I see the Cache-Control header perfectly: 2:45am thinkpad:~> cat www/t.php <?php $is_post = ($_SERVER["REQUEST_METHOD"] == "POST"); if ($is_post) { $foo = ! 0; } else { $foo = ! 1; } $foo = "bar"; if ($foo == "bar") { header("Cache-Control: no-store"); } ?> 2:45am thinkpad:~> HEAD http://localhost/t.php 200 OK Cache-Control: no-store Connection: close Date: Tue, 29 Jun 2004 09:46:01 GMT Server: Apache/1.3.30-dev (Unix) PHP/4.3.8-dev Content-Type: text/html Client-Date: Tue, 29 Jun 2004 09:46:01 GMT Client-Peer: 127.0.0.1:80 Client-Response-Num: 1 X-Powered-By: PHP/4.3.8-dev